This guide covers how to connect to Zadara VPSAs over IPsec using Openswan (2.6.37, higher versions will work).
- Install Openswan:
- apt-get install openswan
- yum install openswan.x86_64
- Edit the /etc/ipsec.conf to have the iSCSI connection defined:
###################
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
plutodebug="parsing control lifecycle dpd"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=no
# virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=0
uniqueids=yes
conn zadara-VPSA-iscsi
type=transport
auto=start
authby=secret
ike=aes128-sha1-modp1024
phase2=esp
phase2alg=aes128-sha1
ikev2=never
dpddelay=5
dpdtimeout=5
dpdaction=restart
pfs=no
salifetime=1h
rekey=yes
rekeymargin=9m
keyingtries=%forever # Always try to connect to VPSA
ikelifetime=3h
left=<Server-IP>
leftprotoport=tcp
right=<VPSA-IP>
rightprotoport=tcp/3260
For NFS over IPsec, add an additional section with a different name eg:
conn zadara-VPSA-NFS
type=transport
auto=start
authby=secret
ike=aes128-sha1-modp1024
phase2=esp
phase2alg=aes128-sha1
ikev2=never
dpddelay=5
dpdtimeout=5
dpdaction=restart
pfs=no
salifetime=1h
rekey=yes
rekeymargin=9m
keyingtries=%forever # Always try to connect to VPSA
ikelifetime=3h
left=<Server-IP>
leftprotoport=tcp
right=<VPSA-IP>
rightprotoport=tcp/2049
The file /etc/ipsec.secrets should contain the shared secret. This can be obtained by viewing the properties of the server within the VPSA:
###################
<server-IP> <VPSA-IP>: PSK "<INSERT PSK>"
###################
Start or restart openSwan:
/etc/init.d/ipsec restart
If you want only to re-read secrets:
ipsec whack --rereadsecrets
Diagnostics:
ipsec whack --status